Initial Access Operations
Authorized Simulation
Initial access work validates whether an organization can prevent, detect, and respond to realistic entry attempts. Treat this as a controlled experiment: every target, channel, payload behavior, credential-handling rule, and stop condition must be approved before execution.
Written Authorization Required
Do not run social engineering, physical access, payload delivery, credential collection, or perimeter exploitation without signed Rules of Engagement. Define approved targets, hours, evidence handling, help-desk escalation, and emergency stop contacts before any activity begins.
Campaign Readiness Checklist
Authorization
- Named sponsor and legal approver
- Allowed initial access channels and excluded groups
- Explicit rules for credential capture, MFA prompts, and payload behavior
- Notification path for help desk, SOC, and incident commander
Safety Controls
- Benign landing pages and non-secret training tokens
- No persistence unless separately approved
- Rate limits that avoid lockouts and operational disruption
- Rollback plan for domains, mail flow, and test accounts
Phishing Simulation Design
A strong simulation measures user reporting, mail-control coverage, identity telemetry, and SOC response without collecting real passwords or exposing sensitive content. Use a unique campaign ID, clearly scoped target list, and controlled telemetry markers.
yaml
campaign_id: RT-IA-2026-001
authorized_targets:
- group: finance-pilot
approver: <BUSINESS_OWNER>
count: 25
controls:
credential_collection: disabled
mfa_prompting: disabled
payload_execution: benign_callback_only
max_messages_per_hour: 50
stop_conditions:
- user distress or safety concern
- help desk escalation threshold reached
- suspected real incident overlaps with exercise
evidence_to_capture:
- message delivery and block status
- user report timestamps
- security tool detections
- SOC triage notes
- lessons learned and control gapscampaign_id: RT-IA-2026-001
authorized_targets:
- group: finance-pilot
approver: <BUSINESS_OWNER>
count: 25
controls:
credential_collection: disabled
mfa_prompting: disabled
payload_execution: benign_callback_only
max_messages_per_hour: 50
stop_conditions:
- user distress or safety concern
- help desk escalation threshold reached
- suspected real incident overlaps with exercise
evidence_to_capture:
- message delivery and block status
- user report timestamps
- security tool detections
- SOC triage notes
- lessons learned and control gapsPerimeter Access Validation
| Channel | Safe Test Goal | Evidence |
|---|---|---|
| Validate gateway filtering, report workflows, and identity alerts. | Delivery logs, report rates, detection events. | |
| VPN / SSO | Confirm MFA, conditional access, lockout, and impossible-travel controls. | Approved test account logs and policy decisions. |
| Exposed Apps | Validate patching, access control, and alerting for known-safe proof checks. | Request IDs, screenshots, sanitized responses. |
| Physical | Measure badge challenge, visitor process, and security escalation. | Observer notes, time stamps, and debrief outcomes. |
Detection Opportunities
- New sender infrastructure touching protected groups.
- Unusual OAuth consent, SSO failures, MFA denials, or impossible-travel events from test accounts.
- Outbound callback attempts from test payload beacons to approved collector domains.
- Help-desk tickets and user reports correlated to the campaign ID.
- Physical access escalation timing from first interaction to security notification.
What Makes This Useful
The best initial-access exercise produces a control map: which prevention controls stopped the attempt, which detections fired, which teams responded, and which playbook steps need tuning. A click rate alone is not a security outcome.